From 6dd2d79d973fc28e9548b6e64e98cc947b6cf2fd Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Mon, 8 Jun 2026 15:54:30 +0200
Subject: [PATCH] * Mon Jun 08 2026 Miroslav Rezanina <mrezanin@redhat.com> -
 20260221-3

- edk2-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch [RHEL-182419]
- edk2-Bumped-to-OpenSSL-3.5.5-3.patch [RHEL-165726]
- Resolves: RHEL-182419
  (edk2/x64: re-enable legacy kernel loader)
- Resolves: RHEL-165726
  (CVE-2026-28390 edk2: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing [rhel-10.3])
---
 ...86QemuLoadImageLib-flip-default-for-.patch | 71 +++++++++++++++++++
 edk2.spec                                     | 14 +++-
 sources                                       |  2 +-
 3 files changed, 84 insertions(+), 3 deletions(-)
 create mode 100644 edk2-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch

diff --git a/edk2-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch b/edk2-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch
new file mode 100644
index 0000000..bec9e4d
--- /dev/null
+++ b/edk2-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch
@@ -0,0 +1,71 @@
+From b89fdcc3378033dd9836d10f74e8541b72fbda63 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 5 Jun 2026 11:30:09 +0200
+Subject: [PATCH 1/2] Revert "OvmfPkg/X86QemuLoadImageLib: flip default for
+ EnableLegacyLoader to false"
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 111: Revert "OvmfPkg/X86QemuLoadImageLib: flip default for EnableLegacyLoader to false"
+RH-Jira: RHEL-182419
+RH-Acked-by: Luigi Leonardi <None>
+RH-Commit: [1/1] 7549a66485f3047a60fbb54512a570d924ca3206 (kraxel.rh/centos-src-edk2)
+
+This reverts commit d2cbaefc082294eadaa30a3d5f0fa8ba264a574a.
+
+virt-install must be adapted before this works,
+and it didn't happen yet.
+
+Resolves: RHEL-182419
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ .../X86QemuLoadImageLib/X86QemuLoadImageLib.c     |  2 +-
+ OvmfPkg/RUNTIME_CONFIG.md                         | 15 ++++++---------
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+index f98f8ab885b..b16bdeb47f8 100644
+--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+@@ -449,7 +449,7 @@ QemuLoadKernelImage (
+                     &Enabled
+                     );
+       if (EFI_ERROR (RetStatus)) {
+-        Enabled = FALSE;
++        Enabled = TRUE;
+       }
+ 
+       if (!Enabled) {
+diff --git a/OvmfPkg/RUNTIME_CONFIG.md b/OvmfPkg/RUNTIME_CONFIG.md
+index 57d0dd96111..b75a5dacadf 100644
+--- a/OvmfPkg/RUNTIME_CONFIG.md
++++ b/OvmfPkg/RUNTIME_CONFIG.md
+@@ -153,19 +153,16 @@ without EFI stub.  If you are using kernels that old secure boot
+ support is the least of your problems though ...
+ 
+ The linux kernel is typically signed by the distro secure boot keys
+-and is verified by the distro `shim.efi` binary.  qemu version 10.0
+-(released in April 2025) got support for passing the shim binary
++and is verified by the distro `shim.efi` binary.  qemu release 10.0
++(ETA ~ March 2025) will get support for passing the shim binary
+ (additionally to kernel + initrd) to the firmware, so the usual secure
+ boot verification can work with direct kernel load too.
+ 
+-In edk2-stable202502 and newer the EnableLegacyLoader config option is
+-available and enabled by default.
++For now the legacy loader is enabled by default.  Once the new qemu
++release is available in most linux distros the defaut will be flipped
++to disabled.
+ 
+-In edk2-stable202602 and newer the EnableLegacyLoader config option is
+-disabled by default.
+-
+-Here is the qemu command line for direct kernel boot with secure boot
+-verification:
++Usage (qemu 10.0+):
+ 
+ ```
+ qemu-system-x86_64 \
+-- 
+2.52.0
+
diff --git a/edk2.spec b/edk2.spec
index eca3b89..2086aba 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -6,7 +6,7 @@ ExclusiveArch: x86_64 aarch64 riscv64
 %define TOOLCHAIN      GCC
 
 %define OPENSSL_VER    3.5.5
-%define OPENSSL_HASH   5e13c4eed2856269a92b58914b19503ba1401b55
+%define OPENSSL_HASH   7ee5eab42c0c00feea3fed210379d54150b9c6cd
 
 %define DBXDATE        20251016
 
@@ -25,7 +25,7 @@ ExclusiveArch: x86_64 aarch64 riscv64
 
 Name:       edk2
 Version:    %{GITDATE}
-Release:    2%{?dist}
+Release:    3%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and Apache-2.0 and MIT
 URL:        http://www.tianocore.org
@@ -91,6 +91,8 @@ Patch24: 0026-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch
 Patch25: 0027-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch
 Patch26: 0028-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch
 Patch27: 0029-OvmfPkg-X64-add-opt-org.tianocore-UninstallMemAttrPr.patch
+# For RHEL-182419 - edk2/x64: re-enable legacy kernel loader
+Patch28: edk2-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -487,6 +489,14 @@ install -m 0644 \
 
 
 %changelog
+* Mon Jun 08 2026 Miroslav Rezanina <mrezanin@redhat.com> - 20260221-3
+- edk2-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch [RHEL-182419]
+- edk2-Bumped-to-OpenSSL-3.5.5-3.patch [RHEL-165726]
+- Resolves: RHEL-182419
+  (edk2/x64: re-enable legacy kernel loader)
+- Resolves: RHEL-165726
+  (CVE-2026-28390 edk2: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing [rhel-10.3])
+
 * Thu Apr 23 2026 Miroslav Rezanina <mrezanin@redhat.com> - 20260221-2
 - edk2-Bumped-to-OpenSSL-3.5.5-2.patch [RHEL-161575]
 - Resolves: RHEL-161575
diff --git a/sources b/sources
index d0f6281..fb604d8 100644
--- a/sources
+++ b/sources
@@ -2,4 +2,4 @@ SHA512 (DBXUpdate-20251016.aa64.bin) = 2af6d22d139ff58cb2d0dc0883257b6131f1bd9cc
 SHA512 (DBXUpdate-20251016.x64.bin) = 0452d2c302f702eeb2d549fd5ac4b3c3623172de9559a881bc92875590f3c5b65e301b880f5f76786e22b1af145b2aa6e58c74fef00a279950f3d6641aef484e
 SHA512 (dtc-1.7.0.tar.xz) = d3ba6902a9a2f2cdbaff55f12fca3cfe4a1ec5779074a38e3d8b88097c7abc981835957e8ce72971e10c131e05fde0b1b961768e888ff96d89e42c75edb53afb
 SHA512 (edk2-b7a715f7c03c.tar.xz) = c7f24a5bc56ce9e9ef53aef3610fc399e43bcc5a17a0c389c02ffced22baf6dce42d0e577dd18771fc0f52dec5f992feaf3aa8fad15d10b10ace73ceb56afabd
-SHA512 (openssl-rhel-5e13c4eed2856269a92b58914b19503ba1401b55.tar.xz) = ce8e811eb82d5a904145daf9557aabb9ff31bfd7b94d2bb34f2819c436478bb74f02feefd2eb3300f36483dfac0c729a42311f22ae5ceb28eee0fadaf44a6fc2
+SHA512 (openssl-rhel-7ee5eab42c0c00feea3fed210379d54150b9c6cd.tar.xz) = 04d92f5a15829fa96c2bffa809ba148d3843884a05703bfbb718d4811d2f24f92eea33f45f4948e28400c4854940384374b81756f0644ca747c9def2e0c43eae